From b35c647481db314dfb9443dc0114b530a91f428c Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Tue, 10 Jul 2012 08:43:38 -0400
Subject: [PATCH] nss_domain attribute patch 3, Miroslav Grepl

---
 policy/modules/system/authlogin.te | 26 ++++++++++++++++++++------
 1 file changed, 20 insertions(+), 6 deletions(-)

diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 1c2810b93..6b8d6f245 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -5,6 +5,14 @@ policy_module(authlogin, 2.3.1)
 # Declarations
 #
 
+
+## <desc>
+## <p>
+## Allow users to resolve user passwd entries directly from ldap rather then using a sssd server
+## </p>
+## </desc>
+gen_tunable(authlogin_nsswitch_use_ldap, false)
+
 attribute can_read_shadow_passwords;
 attribute can_write_shadow_passwords;
 attribute can_relabelto_shadow_passwords;
@@ -407,17 +415,23 @@ files_list_var_lib(nsswitch_domain)
 # read /etc/nsswitch.conf
 files_read_etc_files(nsswitch_domain)
 
-miscfiles_read_generic_certs(nsswitch_domain)
-
 sysnet_dns_name_resolve(nsswitch_domain)
-sysnet_use_ldap(nsswitch_domain)
 
-optional_policy(`
-	avahi_stream_connect(nsswitch_domain)
+tunable_policy(`authlogin_nsswitch_use_ldap',`
+	files_list_var_lib(nsswitch_domain)
+
+	miscfiles_read_generic_certs(nsswitch_domain)
+	sysnet_use_ldap(nsswitch_domain)
 ')
 
 optional_policy(`
-	ldap_stream_connect(nsswitch_domain)
+	tunable_policy(`authlogin_nsswitch_use_ldap',`
+		ldap_stream_connect(nsswitch_domain)
+	')
+')
+
+optional_policy(`
+	avahi_stream_connect(nsswitch_domain)
 ')
 
 optional_policy(`